fix CVE-2021-3426 CVE-2021-29921

2021-05-31 21:28:52 +08:00 · 2021-05-31 21:28:52 +08:00 · 794c7eff20
commit 794c7eff20
parent b7072f7f10
3 changed files with 237 additions and 1 deletions
--- a/backport-CVE-2021-29921.patch
+++ b/backport-CVE-2021-29921.patch
@ -0,0 +1,126 @@
 From 5374fbc31446364bf5f12e5ab88c5493c35eaf04 Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Sun, 2 May 2021 06:49:03 -0700
 Subject: [PATCH] bpo-36384: Leading zeros in IPv4 addresses are no longer
 tolerated (GH-25099) (GH-25815)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Reverts commit e653d4d8e820a7a004ad399530af0135b45db27a and makes
 parsing even more strict. Like socket.inet_pton() any leading zero
 is now treated as invalid input.
 Signed-off-by: Christian Heimes <christian@python.org>
 Co-authored-by: Łukasz Langa <lukasz@langa.pl>
 (cherry picked from commit 60ce8f0be6354ad565393ab449d8de5d713f35bc)
 ---
 Doc/library/ipaddress.rst                           | 19 +++++++++++++++++--
 Lib/ipaddress.py                                    |  5 +++++
 Lib/test/test_ipaddress.py                          | 21 +++++++++++++++++----
 .../2021-03-30-16-29-51.bpo-36384.sCAmLs.rst        |  6 ++++++
 4 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst
 diff --git a/Doc/library/ipaddress.rst b/Doc/library/ipaddress.rst
 index 140401d..7dba43f 100644
 --- a/Doc/library/ipaddress.rst
 +++ b/Doc/library/ipaddress.rst
@@ -104,8 +104,7 @@ write code that handles both IP versions correctly.  Address objects are
    1. A string in decimal-dot notation, consisting of four decimal integers in
       the inclusive range 0--255, separated by dots (e.g. ``192.168.0.1``). Each
       integer represents an octet (byte) in the address. Leading zeroes are
 -      tolerated only for values less than 8 (as there is no ambiguity
 -      between the decimal and octal interpretations of such strings).
 +      not tolerated to prevent confusion with octal notation.
    2. An integer that fits into 32 bits.
    3. An integer packed into a :class:`bytes` object of length 4 (most
       significant octet first).
@@ -117,6 +116,22 @@ write code that handles both IP versions correctly.  Address objects are
    >>> ipaddress.IPv4Address(b'\xC0\xA8\x00\x01')
    IPv4Address('192.168.0.1')
 +   .. versionchanged:: 3.8
 +
 +      Leading zeros are tolerated, even in ambiguous cases that look like
 +      octal notation.
 +
 +   .. versionchanged:: 3.10
 +
 +      Leading zeros are no longer tolerated and are treated as an error.
 +      IPv4 address strings are now parsed as strict as glibc
 +      :func:`~socket.inet_pton`.
 +
 +   .. versionchanged:: 3.9.5
 +
 +      The above change was also included in Python 3.9 starting with
 +      version 3.9.5.
 +
    .. attribute:: version
       The appropriate version number: ``4`` for IPv4, ``6`` for IPv6.
 diff --git a/Lib/ipaddress.py b/Lib/ipaddress.py
 index a3a04f7..e1c346c 100644
 --- a/Lib/ipaddress.py
 +++ b/Lib/ipaddress.py
@@ -1173,6 +1173,11 @@ class _BaseV4:
         if len(octet_str) > 3:
             msg = "At most 3 characters permitted in %r"
             raise ValueError(msg % octet_str)
 +        # Handle leading zeros as strict as glibc's inet_pton()
 +        # See security bug bpo-36384
 +        if octet_str != '0' and octet_str[0] == '0':
 +            msg = "Leading zeros are not permitted in %r"
 +            raise ValueError(msg % octet_str)
         # Convert to integer (we know digits are legal)
         octet_int = int(octet_str, 10)
         if octet_int > 255:
 diff --git a/Lib/test/test_ipaddress.py b/Lib/test/test_ipaddress.py
 index 2eba740..5205fb0 100644
 --- a/Lib/test/test_ipaddress.py
 +++ b/Lib/test/test_ipaddress.py
@@ -97,10 +97,23 @@ class CommonTestMixin:
 class CommonTestMixin_v4(CommonTestMixin):
     def test_leading_zeros(self):
 -        self.assertInstancesEqual("000.000.000.000", "0.0.0.0")
 -        self.assertInstancesEqual("192.168.000.001", "192.168.0.1")
 -        self.assertInstancesEqual("016.016.016.016", "16.16.16.16")
 -        self.assertInstancesEqual("001.000.008.016", "1.0.8.16")
 +        # bpo-36384: no leading zeros to avoid ambiguity with octal notation
 +        msg = "Leading zeros are not permitted in '\d+'"
 +        addresses = [
 +            "000.000.000.000",
 +            "192.168.000.001",
 +            "016.016.016.016",
 +            "192.168.000.001",
 +            "001.000.008.016",
 +            "01.2.3.40",
 +            "1.02.3.40",
 +            "1.2.03.40",
 +            "1.2.3.040",
 +        ]
 +        for address in addresses:
 +            with self.subTest(address=address):
 +                with self.assertAddressError(msg):
 +                    self.factory(address)
     def test_int(self):
         self.assertInstancesEqual(0, "0.0.0.0")
 diff --git a/Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst b/Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst
 new file mode 100644
 index 0000000..f956cde
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2021-03-30-16-29-51.bpo-36384.sCAmLs.rst
@@ -0,0 +1,6 @@
 +:mod:`ipaddress` module no longer accepts any leading zeros in IPv4 address
 +strings. Leading zeros are ambiguous and interpreted as octal notation by
 +some libraries. For example the legacy function :func:`socket.inet_aton`
 +treats leading zeros as octal notatation. glibc implementation of modern
 +:func:`~socket.inet_pton` does not accept any leading zeros. For a while
 +the :mod:`ipaddress` module used to accept ambiguous leading zeros.
 -- 
 1.8.3.1
--- a/backport-CVE-2021-3426.patch
+++ b/backport-CVE-2021-3426.patch
@ -0,0 +1,100 @@
 From 7e38d3309e0a5a7b9e23ef933aef0079c6e317f7 Mon Sep 17 00:00:00 2001
 From: "Miss Islington (bot)"
 <31488909+miss-islington@users.noreply.github.com>
 Date: Mon, 29 Mar 2021 06:02:40 -0700
 Subject: [PATCH] bpo-42988: Remove the pydoc getfile feature (GH-25015)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 CVE-2021-3426: Remove the "getfile" feature of the pydoc module which
 could be abused to read arbitrary files on the disk (directory
 traversal vulnerability). Moreover, even source code of Python
 modules can contain sensitive data like passwords. Vulnerability
 reported by David Schwörer.
 (cherry picked from commit 9b999479c0022edfc9835a8a1f06e046f3881048)
 Co-authored-by: Victor Stinner <vstinner@python.org>
 ---
 Lib/pydoc.py                                   | 18 ------------------
 Lib/test/test_pydoc.py                         |  6 ------
 .../2021-03-24-14-16-56.bpo-42988.P2aNco.rst   |  4 ++++
 3 files changed, 4 insertions(+), 24 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
 diff --git a/Lib/pydoc.py b/Lib/pydoc.py
 index dc3377d68f8caa..afec613dd85a06 100644
 --- a/Lib/pydoc.py
 +++ b/Lib/pydoc.py
@@ -2364,9 +2364,6 @@ def page(self, title, contents):
 %s</head><body bgcolor="#f0f0f8">%s<div style="clear:both;padding-top:.5em;">%s</div>
 </body></html>''' % (title, css_link, html_navbar(), contents)
 -        def filelink(self, url, path):
 -            return '<a href="getfile?key=%s">%s</a>' % (url, path)
 -
     html = _HTMLDoc()
@@ -2452,19 +2449,6 @@ def bltinlink(name):
             'key = %s' % key, '#ffffff', '#ee77aa', '<br>'.join(results))
         return 'Search Results', contents
 -    def html_getfile(path):
 -        """Get and display a source file listing safely."""
 -        path = urllib.parse.unquote(path)
 -        with tokenize.open(path) as fp:
 -            lines = html.escape(fp.read())
 -        body = '<pre>%s</pre>' % lines
 -        heading = html.heading(
 -            '<big><big><strong>File Listing</strong></big></big>',
 -            '#ffffff', '#7799ee')
 -        contents = heading + html.bigsection(
 -            'File: %s' % path, '#ffffff', '#ee77aa', body)
 -        return 'getfile %s' % path, contents
 -
     def html_topics():
         """Index of topic texts available."""
@@ -2556,8 +2540,6 @@ def get_html_page(url):
                 op, _, url = url.partition('=')
                 if op == "search?key":
                     title, content = html_search(url)
 -                elif op == "getfile?key":
 -                    title, content = html_getfile(url)
                 elif op == "topic?key":
                     # try topics first, then objects.
                     try:
 diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py
 index c80477c50f0980..72ed8a93b712b0 100644
 --- a/Lib/test/test_pydoc.py
 +++ b/Lib/test/test_pydoc.py
@@ -1360,18 +1360,12 @@ def test_url_requests(self):
             ("topic?key=def", "Pydoc: KEYWORD def"),
             ("topic?key=STRINGS", "Pydoc: TOPIC STRINGS"),
             ("foobar", "Pydoc: Error - foobar"),
 -            ("getfile?key=foobar", "Pydoc: Error - getfile?key=foobar"),
             ]
         with self.restrict_walk_packages():
             for url, title in requests:
                 self.call_url_handler(url, title)
 -            path = string.__file__
 -            title = "Pydoc: getfile " + path
 -            url = "getfile?key=" + path
 -            self.call_url_handler(url, title)
 -
 class TestHelper(unittest.TestCase):
     def test_keywords(self):
 diff --git a/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
 new file mode 100644
 index 00000000000000..4b42dd05305a83
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2021-03-24-14-16-56.bpo-42988.P2aNco.rst
@@ -0,0 +1,4 @@
 +CVE-2021-3426: Remove the ``getfile`` feature of the :mod:`pydoc` module which
 +could be abused to read arbitrary files on the disk (directory traversal
 +vulnerability). Moreover, even source code of Python modules can contain
 +sensitive data like passwords. Vulnerability reported by David Schwörer.
--- a/python3.spec
+++ b/python3.spec
@ -3,7 +3,7 @@ Summary: Interpreter of the Python3 programming language
 URL: https://www.python.org/
 Version: 3.8.5
-Release: 10
+Release: 11
 License: Python
 %global branchversion 3.8
@ -100,6 +100,8 @@ Patch254: CVE-2021-3177.patch
 Patch255: backport-CVE-2021-23336.patch
 Patch256: backport-Remove-thread-objects-which-finished-process-its-request.patch
 Patch257: backport-Fix-reference-leak-when-Thread-is-never-joined.patch
 Patch6000: backport-CVE-2021-3426.patch
 Patch6001: backport-CVE-2021-29921.patch
 Provides: python%{branchversion} = %{version}-%{release}
 Provides: python(abi) = %{branchversion}
@ -197,6 +199,8 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch255 -p1
 %patch256 -p1
 %patch257 -p1
 %patch6000 -p1
 %patch6001 -p1
 rm configure pyconfig.h.in
@ -804,6 +808,12 @@ export BEP_GTDLIST="$BEP_GTDLIST_TMP"
 %{_mandir}/*/*
 %changelog
 * Mon May 31 2021 shixuantong<shixuantong@huawei.com> - 3.8.5-11
 - Type:CVE
 - CVE:CVE-2021-3426 CVE-2021-29921
 - SUG:NA
 - DESC:fix CVE-2021-3426 CVE-2021-29921
 * Sun May 23 2021 shixuantong<shixuantong@huawei.com> - 3.8.5-10
 - Type:bugfix
 - ID:NA